perfSONAR User Q&A and Other Discussion

[Alex Hsia <>]

I would like to add my support for a resolution to this issue.  For Federal Government users, we are getting scanned more often by external entities and getting flagged for insecure TLS/SSL, weak ciphers and HSTS.  

Alex Hsia ==============================================================
NOAA/OAR                                            Phone: (303)497-6351
Mailstop R/ESRL                                    GVoice: (303)536-5430
325 Broadway                                  e-mail:
Boulder, CO  80305                                   PGP keyid: 8A482A90
========================================================================

On Fri, Nov 9, 2018 at 6:13 AM Doug Wussler <> wrote:

I believe this is the same issue I reported in December last year.  For that email discussion see:

 

https://lists.internet2.edu/sympa/arc/perfsonar-user/2017-12/msg00076.html

 

For the GitHub issue, see https://github.com/perfsonar/toolkit/issues/291

 

Bottom line:  The SSL.CONF file distributed with PerfSonar needs to be changed.  The SSLProtocol and SSLCipherSuite settings need to be moved outside the VirtualHost.  That way, individual deployments can override the default settings with customized configuration files.  As the file is now distributed, these settings are being place inside the VirtualHost and thus cannot be overridden by a customized config file.

 

Doug

 

 

 

Doug Wussler

Florida State University

 

 

From: <> on behalf of "Garnizov, Ivan" <>
Date: Friday, November 9, 2018 at 3:57 AM
To: Darryl K Wohlt <>, "" <>
Subject: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file

 

Hello Darryl,

 

Could you please provide more information about your installation?

Is this a pS Toolkit, pS Testpoint or is this Central management deployment, other?

 

Please keep in mind, that the pS Toolkit is delivered as a full featured product to a lot of users with different skill levels and different use cases. Still to better understand your issue we need to know at least what is installed on your machine.

 

Regards,

Ivan Garnizov

 

GEANT SA1T2: pS deployments GN Operations

GEANT SA2T3: pS development team

GEANT SA3T5: eduPERT team

 

Jubiläumsjahr 2018 - IT in Bewegung

Das RRZE - der IT-Dienstleister der FAU

www.50-jahre.rrze.fau.de

 

Von: [mailto:] Im Auftrag von Darryl K Wohlt
Gesendet: Freitag, 9. November 2018 00:32
An:
Betreff: [perfsonar-user] Automatic yum update changed the ssl.conf file

 

I received an alert from our computer security group saying that my PS instance “supports the use of TLS 1.0&1.1 and/or 3DES in one or more cipher suites.”  This is a big deal at our site.

 

When I upgraded this host in late October I made sure to update ssl.conf to allow only TLSv1.2.  After this alert I checked it again, and found it was modified (replaced?) at the same time an automatic yum update occurred.  This has happened before.

 

Can we please not modify this file during updates?

 

Thanks

 

Darryl K. Wohlt

Network Architect I

 

CCD/NCS/Network Services

Fermi National Accelerator Laboratory

P.O. Box 500, MS 368

Batavia, Illinois 60510

USA

 

630 840 2901 office

630 945 5687  mobile

www.fnal.gov